[podcast]http://isd.psysmic.com/podcasts/InfoSec Daily Podcast Episode 24.mp3[/podcast]

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department.  When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

1. PHP ‘proc_open()’ ‘safe_mode_protected_env_var’ Restriction-Bypass Vulnerability – PHP is prone to a safe_mode restriction-bypass vulnerability. Successfully exploiting this issue may allow attackers to alter the process environment, which may lead to other attacks. Versions prior to PHP 5.3.1 are vulnerable. To exploit this issue, an attacker can use readily available tools as well exploit code is available in the wild.
2. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities – Postfix is prone to a local privilege-escalation vulnerability and a local information-disclosure vulnerability.  Local attackers can exploit this issue to read other users’ mail or execute arbitrary commands with superuser privileges.  Versions prior to Postfix 2.5.4 Patchlevel 4 are vulnerable.  An attacker uses readily available commands to exploit these issues. Proof-of-concept shell script is available in the wild.
3. Apache mod_perl ‘Apache::Status’ and ‘Apache2::Status’ Cross Site Scripting Vulnerability – The Apache ‘mod_perl’ module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URL. Example URL code is available in the wild.
4. Ruby ‘OCSP_basic_verify()’ X.509 Certificate Verification Vulnerability – Ruby is prone to an X.509 certificate-verification vulnerability. Exploiting this issue may allow an attacker to have a revoked x.509 certificate accepted as valid. This may allow the attacker to conduct phishing attacks or to impersonate legitimate sites. Other attacks are also possible. Ruby 1.8.7 and 1.9.1 are vulnerable; other versions may also be affected.   An attacker may use readily available utilities to carry out this attack.
5. MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability – MySQL is prone to an HTML-injection vulnerability because the application’s command-line client fails to properly sanitize user-supplied input before using it in dynamically generated content.  Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.  Attackers can use readily available tools to exploit this issue. Example code is available in the wild.
6. MySQL ‘sql_parse.cc’ Multiple Format String Vulnerabilities – MySQL is prone to multiple format-string vulnerabilities. Attackers can leverage these issues to execute arbitrary code within the context of the vulnerable application. Failed attacks will likely cause denial-of-service conditions. MySQL 4.0.0 through 5.0.75 are vulnerable; other versions may also be affected. Proof of concept code is available in the wild.
7. Microsoft HTML Help Workshop ‘.hhp’ File Handling Buffer Overflow Vulnerability – Microsoft HTML Help Workshop is prone to a remote buffer-overflow vulnerability. The vulnerability occurs when the application handles a malformed HTML Help Workshop Project (‘.hhp’) file. An attacker may exploit the issue to execute arbitrary code in the context of the application. This vulnerability affects HTML Help Workshop 4.74 and prior versions.  Exploit code is available in the wild.
8. Dia ‘PySys_SetArgv’ Remote Command Execution Vulnerability – Dia is prone to a remote command-execution vulnerability that could allow an attacker to execute the vulnerable application in a directory containing a malicious Python file by enticing an unsuspecting victim . A successful exploit the execution of Python commands running with the privileges of the currently logged-in user.  This attack can be exploited by using commonly available tools. Core Security has developed a working commercial exploit for CORE IMPACT.

News item 1: http://www.microsoft.com
Microsoft patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company’s newest browser, IE8.Of the 12 flaws fixed in Tuesday’s six security updates, seven were rated “critical,” the highest severity ranking in Microsoft’s four-step scoring system. Four of the remaining flaws were pegged as “important,” one step lower on the scale, while the final vulnerability was labeled “moderate.”MS09-069 :Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
Important http://www.microsoft.com/MS09-069.mspx

MS09-070 :Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution
Important http://www.microsoft.com/MS09-070.mspx

MS09-071 :Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution
CRITICAL http://www.microsoft.com/MS09-071.mspx

MS09-072 :Cumulative Security Update for Internet Explorer
CRITICAL http://www.microsoft.com/MS09-072.mspx

MS09-073 :Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution
Important http://www.microsoft.com/MS09-073.mspx

MS09-074 :Vulnerability in Microsoft Office Project Could Allow Remote Code Execution
CRITICAL http://www.microsoft.com/MS09-074.mspx

Security researchers unanimously voted MS09-072, the five-patch update for IE, as the one that demands immediate attention.

News item 2: http://www.kb.cert.org/vuls/id/723308
According to the US Cert, TCP implementations from multiple vendors are vulnerable to malicious or misbehaving connections that indefinitely advertize a zero receive window. RFC 1122 section 4.2.2.17 states that “A TCP MAY keep its offered receive window closed indefinitely. As long as the receiving TCP continues to send acknowledgments in response to the probe segments, the sending TCP MUST allow the connection to stay open.” The TCP connection is open however no data is being transmitted. This “stalled” state is generally referred to as the TCP persist condition.

Not sure if this has been seen, but if you read the RFC, this could be significant as it would obviously result in a DoS capability for all implementations.News item 3:  http://testlab.sit.fraunhofer.de/content/output/project_results/bitlocker_skimming/Microsoft dismissed recently-disclosed threats to its BitLocker disk-encryption technology as “relatively low risk,” noting that attackers must not only have physical access to a targeted PC, but must manipulate the machine two separate times.

The company’s move was prompted by a paper published by five German researchers at the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), a Darmstadt, Germany-based security company. In the paper, the researchers spelled out multiple attack scenarios criminals could use to access files protected by BitLocker.

BitLocker, which Microsoft debuted in higher-end versions of Windows Vista, is included only in Windows 7 Ultimate and Windows 7 Enterprise , available only to companies and organizations that buy Windows licenses in volume, as well as Windows Server 2008 and Server 2008 R2. The software encrypts disk volumes and locks them with a PIN, USB-based key device or, if the computer includes one, a Trusted Platform Module (TPM) chip.

The Fraunhofer SIT researchers spelled out five attack possibilities, including one where the attacker boots the PC from a flash drive and replaces the BitLocker bootloader with a substitute bootloader that spoofs the PIN request process, then snatches the PIN and saves it to disk or sends it elsewhere using the computer’s wireless connection. Later, the attacker must revisit the PC to use the purloined PIN to access the BitLocker-protected data.

News item 4: http://www.microsoft-watch.com/content/web_services_browser/microsoft_executive_suggests_google_de-listing_a_no-go.html?kc=MWRSS02129TX1K0000535&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RSS%2FMicrosoftWatch+%28Microsoft+Watch%29